Supporting use of scalable computing to drive innovation and wealth creation.

Monday, 5 April 2010

Beyond SPT (Security, Privacy and Trust) What Else You Must Worry About in the Cloud?

Perhaps by now you would have attended at least two workshops on cloud computing and heard half a dozen people emphasizing three top cloud computing worries Security, Privacy and Trust. Not surprisingly significant effort is being put to find reasonable solutions to Security, Privacy and Trust in the industry and academia. Consortiums are also trying to set standards for identity management etc.

I am not denying SPT the attention they deserve. But they assume importance only when there are things in the cloud. I would like to mention three issues associated with taking things into the cloud. And one issue which is as generic as SPT.

My list includes the following:

1. Migrating applications into the cloud2. Designing applications to meet large scale customer demand3. Platform gap between cloud and non-cloud services4. Disaster Recovery in the cloud

Let’s see each one in a bit more detail.

1. Migrating applications into the cloud

I have heard politicians, local councils and consultants talk about how magnificent public services would be when they get onto the cloud. But the main question is “Are these services in a state where they could be migrated to the cloud?” I wouldn’t bet my dollar on a positive answer to this question. Most of the services quoted by cloud lovers are developed by service providers for the local councils and federal Governments and optimized for them. I am somewhat confident to say that these applications have such a strong coupling with existing architecture, IT infrastructure and IT culture, that it would be quite a challenge to migrate them to the cloud, be it the Government’s own cloud.

Challenge is same in a large enterprise. Majority of IT applications are bespoke. Though large scale commercial applications are purchased for the global consumption of the enterprise, there are numerous local tweakings which pose significant obstacle to taking them to the cloud. In nightmarish scenarios, CIOs may not even have the list of these tweakings and local managers might exaggerate the side effect of migrating to cloud largely helped by the fear of the unknown.

To further compound the problem, local departmental managers may have sponsored bespoke IT applications that do not fit well into the overall architecture of the enterprise let alone designed for scalability.

2. Designing applications to meet large scale customer demand

While businesses are busy gauging up cloud computing, developers are busy churning out new applications for cloud and non-cloud environments. While large software product developers have kept the art of service enabling applications to the cloud largely a secret, pure software service providers are on their own to discover best practices in designing and developing truly scalable applications. As application scalability can neither be measured nor effectively demonstrated before the application is sold, it is quite possible that heuristics and business value articulation are in play to promote scalability.

It makes sense for the developer community to go back to the basics and re-learn the art of software architecture and design including design patterns and performance engineering until such time the academia comes out with languages and IDEs with built-in frameworks for guaranteed interoperability, scalability and performance.

Perhaps it is sufficient if software is designed the way it is supposed to be - cloud or non-cloud. In design phase, designer should focus on modularity, technology independence, high performance and resource utilization. Design flaws are likely to be tolerated under “General Issues with IT” in a non cloud context, but mean a disaster for the application in the cloud context because the cloud would easily expose any design flaws associated with performance and resource utilization.

3. Platform gap between cloud and non-cloud services

With hybrid clouds becoming a reality, applications and services are likely to be spread between on-cloud and off-cloud contexts. There could be few software elements such as application servers that might exist on both contexts. Though supplied by the same vendor, on-cloud and off-cloud software elements are likely to remain as separate products. As a result, a large enterprise is likely to have variety of products on-and-off cloud. And some services such as messaging are likely to exist both on and off cloud.

The question is what percentage of enterprise applications remains sensitive to this platform gap? Data is very likely to be shared between both contexts and hence a clear separation (on-cloud, off-cloud) is not practical. So, how would applications be interoperable in such a scenario? Though interoperability is achieved, there is one more problem – variable degree of control. On-cloud services are likely to be less controllable by the purchasing enterprise compared to off-cloud services.

One way to help is to look for products that are agnostic to this platform gap, which means more market research!

4. Disaster Recovery In the cloud

How many enterprises see disaster recovery as an all inclusive, overarching theme that is beyond backup? And how many enterprises believe that disaster recovery is one of those responsibilities which cannot be purchased?

Disaster Recovery is a business process which employs technical and non-technical means to ensure business continuity (not just data recovery).

Cloud Service providers might bundle support for disaster recovery with their standard services. CIOs must examine the boundaries where services terminate and responsibilities change hands. These business interfaces could terminate independent of each other and one cannot force a handshake between multiple service providers especially when things go wrong.

Some enterprises have the habit of separating disaster recovery plan from business continuity plan. It would be beneficial if the buyer of cloud service takes an integrated approach to business continuity and disaster recovery and drives common understanding of disaster and end to end minimum service levels across multiple cloud service providers.

That was a brief introduction to some of the issues that I thought CIOs would like to consider beyond security, privacy and trust in a cloud computing scenario.